Re: How do I set up ACS 3.2.2 to authenticate WIN2K wired 802.1x

jkeeffe · ‎04-27-2004

Can you point me to a configuration guide that would walk me through using my ACS 3.2 Appliance to be the RADIUS authenticator for WIN2K PC's? I'd like to implement 802.1x and the PCs are connected to a 3560 switch. Also if Active Directory could be used that would be great also. - Thanks

sirpa_k · ‎05-07-2004

Any update on this?

Darthkim_2 · ‎05-12-2004

With 802.1x, there are multiple ways of authenticating win2k machines.

There is EAP-MD5 (the simplest and weakest)

PEAP - (the 2nd simplest and pretty strong)

EAP-TLS or TTLS (the most difficult and strongest)

There are also LEAP and EAP-FAST. Both proprietary methods by Cisco.

Now,this link here

http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_configuration_examples_list.html

Explains how to setup ACS in conjunction with either PEAP or EAP-TLS. The thing with both is that it requires a Enterprise Certifcate Authority Server to authenticate the machines/user accounts.

If you only require 802.1x for wired connection, EAP-MD5 would be fine (and is simple enough... requires no CA).

For assistance on how to setup your switch with 802.1x, lookup you respective cisco switch and go the configuration guides. Most sections cover setting up 802.1x (including dynamic Vlan allocation)

I am in the middle of setting up our infrastructure with PEAP. Its secure enough to be used with wireless and wired connection and relatively simple enough to deploy in a medium to large enterprise.

I would also highly recommend reading the Wireless papers which discuss 802.1x EAP-TLS and PEAP.

http://www.microsoft.com/downloads/details.aspx?familyid=CDB639B3-010B-47E7-B234-A27CDA291DAD&amp;amp;amp;amp;amp;displaylang=en

http://www.microsoft.com/technet/security/guidance/peap_0.mspx

How do I set up ACS 3.2.2 to authenticate WIN2K wired 802.1x clients?